[Senate Hearing 112-867]
[From the U.S. Government Publishing Office]
S. Hrg. 112-867
YOUR HEALTH AND YOUR PRIVACY: PROTECTING HEALTH INFORMATION IN A
DIGITAL WORLD
=======================================================================
HEARING
before the
SUBCOMMITTEE ON PRIVACY,
TECHNOLOGY AND THE LAW
of the
COMMITTEE ON THE JUDICIARY
UNITED STATES SENATE
ONE HUNDRED TWELFTH CONGRESS
FIRST SESSION
__________
NOVEMBER 9, 2011
__________
Serial No. J-112-51
__________
Printed for the use of the Committee on the Judiciary
U.S. GOVERNMENT PRINTING OFFICE
87-166 WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected].
COMMITTEE ON THE JUDICIARY
PATRICK J. LEAHY, Vermont, Chairman
HERB KOHL, Wisconsin CHUCK GRASSLEY, Iowa
DIANNE FEINSTEIN, California ORRIN G. HATCH, Utah
CHUCK SCHUMER, New York JON KYL, Arizona
DICK DURBIN, Illinois JEFF SESSIONS, Alabama
SHELDON WHITEHOUSE, Rhode Island LINDSEY GRAHAM, South Carolina
AMY KLOBUCHAR, Minnesota JOHN CORNYN, Texas
AL FRANKEN, Minnesota MICHAEL S. LEE, Utah
CHRISTOPHER A. COONS, Delaware TOM COBURN, Oklahoma
RICHARD BLUMENTHAL, Connecticut
------
Subcommittee on Privacy, Technology and the Law
AL FRANKEN, Minnesota, Chairman
CHUCK SCHUMER, New York TOM COBURN, Oklahoma
SHELDON WHITEHOUSE, Rhode Island ORRIN G. HATCH, Utah
RICHARD BLUMENTHAL, Connecticut LINDSEY GRAHAM, South Carolina
Alvaro Bedoya, Democratic Chief Counsel
Elizabeth Hays, Republican Chief Counsel
C O N T E N T S
----------
STATEMENTS OF COMMITTEE MEMBERS
Page
Franken, Hon. Al, a U.S. Senator from the State of Minnesota..... 1
Coburn, Hon. Tom, a U.S. Senator from the State of Oklahoma...... 4
WITNESSES
Lynch, Loretta, U.S. Attorney for the Eastern District of New
York, U.S. Department of Justice, Brooklyn, New York........... 5
prepared statement........................................... 31
Rodriguez, Leon, Director, Office of Civil Rights, U.S.
Department of Health and Human Services, Washington, DC........ 7
prepared statement........................................... 40
McGraw, Deven, Director, Health Privacy Project, Center for
Democracy and Technology, Washington, DC....................... 18
prepared statement........................................... 51
Myrold, Kari, Privacy Officer, Hennepin County Medical Center,
Minneapolis, Minnesota......................................... 16
prepared statement........................................... 68
QUESTIONS
Questions for Deven McGraw, Leon Rodriguez, and Kari Myrold
submitted by Senator Al Franken................................ 73
QUESTIONS AND ANSWERS
Responses of Deven McGraw to Questions Submitted by Senator
Franken........................................................ 76
Responses of Leon Rodriguez to Questions Submitted by Senator Al
Franken........................................................ 78
Responses of Kari Myrold to Questions Submitted by Senator Al
Franken........................................................ 82
SUBMISSIONS FOR THE RECORD
Letter from AARP to Senators Patrick Leahy, Al Franken, Charles
Grassley, and Tom Coburn....................................... 83
YOUR HEALTH AND YOUR PRIVACY: PROTECTING HEALTH INFORMATION IN A
DIGITAL WORLD
----------
WEDNESDAY, NOVEMBER 9, 2011
U.S. Senate,
Subcommittee on Privacy, Technology and the Law,
Committee on the Judiciary,
Washington, DC
The Subcommittee met, pursuant to notice, at 2:33 p.m.,
Room SD-226, Dirksen Senate Office Building, Hon. Al Franken,
presiding.
Present: Senators Whitehouse, Blumenthal, and Coburn.
OPENING STATEMENT OF HON. AL FRANKEN, A U.S. SENATOR FROM THE
STATE OF MINNESOTA
Senator Franken. This hearing of the Senate Judiciary
Subcommittee on Privacy, Technology and the Law will be called
to order. This is our Subcommittee's second hearing, and this
one will focus on the important issue of health privacy.
Over the past two decades, an incredible thing has
happened. You can now put your entire medical history, every
chart, every X-ray, every test, every last doctor's note on a
thumb drive this size, and even better, once that electronic
health record is put on a network, any doctor authorized on
that network can access that information instantaneously from
across the State or across the country.
This means you don't have to rely on your memory to tell
your doctor when your last tetanus shot was. It means that in a
crisis, doctors in an emergency room can find out in seconds
exactly what medicines an accident victim has been prescribed,
and it means that when you change doctors or move cities you
can be sure that your doctors will know everything that they
need to know about you and your health history.
But the most important story I've heard to explain the need
for electronic health records comes from the Hennepin County
Medical Center, which I'm proud to say will be represented
today by Kari Myrold, their privacy officer. HCMC was one of
the first hospitals in Minnesota to develop an electronic
health record system. HCMC is actually about five or six blocks
from my home in Minneapolis.
As it turns out, HCMC is also just one mile from the I-35W
bridge in Minneapolis, which collapsed in August of 2007. One
month before that bridge collapsed, they had just completed a
full implementation of electronic health records throughout the
hospital. But that day in August when the bridge collapsed, its
policies still called for using paper records in the event of a
major catastrophe, so when the bridge collapsed and patients
starting coming in, staff used paper records for the first two
patients.
After those first two, the doctors made a decision to
switch to electronic records. They found that it allowed them
to call up patients' charts and track patients throughout the
hospital and in other systems far easier than paper records.
When disaster struck, that decision to use electronic health
records allowed the Hennepin County Medical Center to tend to
those victims more quickly and more effectively.
Examples like this one quickly persuaded the medical
community and Congress of the value of electronic health
records, so in 2009 Congress wrote and passed bipartisan
legislation called the HITECH Act to create financial
incentives to get doctors and hospitals around the country to
start using electronic health records. I am proud to say that
the Hennepin County Medical Center was one of the first
hospitals in the Nation to quality for HITECH Act funds.
But we need to get all the benefits of electronic health
records while still protecting the extraordinarily sensitive
information that they contain. I believe all Americans have a
fundamental right to know who has their personal information
and to control who gets that information and with whom it is
shared.
I also think--welcoming the Ranking Member, Senator Coburn.
Good afternoon, sir. Doctor.
Senator Coburn. It's still morning back home.
Senator Franken. It is morning in Oklahoma. Let the record
show that.
[Laughter.]
Senator Franken. Good morning.
I also think that our fundamental right to privacy includes
the right to know that our sensitive information, wherever it
is, is safe and secure. Unfortunately, breach after breach of
health data has shown us that when it comes to health
information our right to privacy is not being fully protected.
On the evening of July 28, 2011, a laptop was stolen from the
backseat of a consultant's car in the Seven Corners
neighborhood in Minneapolis.
That laptop contained the names, dates of birth, Social
Security numbers, and medical information for approximately
14,000 patients of Fairview Health Services, and the names and
medical information for another 2,800 patients of the North
Memorial Medical Center. Those hospitals had told the
consultant to encrypt that data. The consultant didn't do that,
so it wasn't encrypted.
Sadly, that was the third incident in about a year where
the health data of Minnesotans was put at risk as the result of
a laptop theft. In fact, since the collection of breach records
started in 2009, 91 laptops containing the health information
of approximately 1.8 million people have been lost or stolen.
That is just a subset of a total of 364 major breaches since
2009 that resulted in the breach of health data of over 18
million Americans. This has been happening since far before
2009.
In 2002, for example, the U.S. Veterans Administration
Medical Center in Indianapolis sold or donated 139 computers
without removing information on their hard drives that revealed
the names of veterans who had been diagnosed with AIDS or
mental illnesses. In 2001, the detailed psychological records
of 62 children and teenagers were accidentally posted on the
University of Montana Web site for eight days.
The truth is that the same wonderful technology that has
revolutionized patient health records has also created very
real and very serious privacy challenges. Now, this is not a
new problem and we're not the first lawmakers to call it to
light. In the past 15 years, Congress has passed major
bipartisan legislation to protect health information privacy.
In 1996, Congress passed the Health Insurance Portability
and Accountability Act, commonly known as HIPAA. HIPAA set out
that health care providers and insurers have to protect their
health data. It also required that they get their patients'
permission before disclosing that information to certain third
parties. Yet although HIPAA made strides toward better
protecting patients' privacy, it also left some substantial
gaps.
So in 2009, Congress passed the bipartisan HITECH Act as
part of the Recovery Act. The HITECH Act extended many of the
same privacy and security rules that apply to doctors and
hospitals to their contractors. This was called the Business
Associate Rule. The HITECH Act also required health care
providers and health insurers to notify people affected by a
breach and increased the civil and criminal penalties for
violations of all of these rules.
When Congress passed the HITECH Act it sent a clear
bipartisan signal that it was time to get serious about health
information privacy. Unfortunately, all signs indicate that
we're still not there either in terms of the protections we
have in place or the way that we've been implementing and
enforcing those protections. A lot of the crucial protections
of the HITECH Act have yet to be implemented.
For example, HHS has yet to issue final enforceable rules
on a number of critical protections, like the Business
Associate Rule. And while the Department of Health and Human
Services and the Department of Justice have increased
enforcement in the past one or two years, the overall record of
enforcement is simply not satisfactory.
Of the approximately 22,500 complaints that HHS has
received since 2003 that it had authority to investigate, HHS
has levied a formal fine or civil monetary penalty in one case,
just one. They have reached monetary settlement agreements in
six other cases.
DOJ's record on this is similarly mixed. Since 2003, HHS
has referred about 495 cases to DOJ for prosecution, but since
then, DOJ has prosecuted just 16 criminal HIPAA cases. DOJ has
reported to me that they have prosecuted some cases under
statutes other than HIPAA, like identity theft and computer
hacking statutes, but DOJ has no records or estimates of how
many of those stem from HIPAA cases. It is hard for Congress to
conduct oversight over DOJ without this data.
Now, I want to be clear, there are explanations for these
facts and figures and a lot of the responsibility lies on the
shoulders of Congress. Congress perhaps should have instituted
stronger reporting requirements on DOJ for enforcement, and
HHS's low enforcement statistics are in large part the product
of what I think is a wise Department-wide policy to work with
companies to fix privacy problems and not just fine them.
But I think it's safe to say that we need to do more to
protect this data, and that's what this hearing is all about,
figuring out if we are doing enough and doing everything that
we should be doing to enforce existing laws, and then figuring
out if we need new laws and regulations to fill in the gaps.
Before I turn to my friend, the Ranking Member, I want to
recognize that the work we're doing today continues the work
that has been done for 15 years here in the Judiciary Committee
under Chairman Leahy, and of course in the Health, Education,
Labor and Pensions Committee under Chairman Harkin, and their
predecessors on both sides of the aisle. I sincerely believe
that health information policy and privacy is a bipartisan
issue and a bipartisan cause, and one that will require a
bipartisan solution.
With that, I will turn to Senator Coburn, who is a watchdog
of the Federal Government, and as a physician will have a very
valuable voice in today's hearing.
Senator Coburn, good morning.
STATEMENT OF HON. TOM COBURN, A U.S. SENATOR FROM THE STATE OF
OKLAHOMA
Senator Coburn. Thank you, Mr. Chairman. Thank you for
holding the hearing. I regret I have other obligations so I'm
only going to be able to be here for about 45 minutes.
I would make some points. Think about this as a patient's
chart in my office. The likelihood with this as a chart, of
anybody having access to that other than the people that should
have it, it is about zero. Now think about me putting it on a
computer and think about the potential for other people having
it. When HIPAA was first passed, I was in the Congress and I
voted against it, because as a practicing physician the goal
was worthy, but the costs associated with it--the Clinton
administration admitted that it would cost about $17.6 billion
over 10 years. It ended up costing about $9 billion a year back
then.
What we're attempting to do is a good thing. What we've
attempted in terms of our laws is not going to be cost
effective. All you have to do is read the Institute of Medicine
report about the increased number of mistakes and the increased
errors that are going to come from an electronic medical
record.
The other thing we've done with the Affordable Care Act is
we've mandated that you're going to have an electronic medical
record. So we've mandated all the records that are secure in my
office in Muskogee, Oklahoma, are going to go onto a
potentially insecure data base. No matter what I do, there's
always somebody that's going to get around it and I'm going to
spend a lot of dollars as a doctor proving that I've done what
the government says I can do, which still may not prevent that
data from being there. So I'm anxious to hear.
I know we have a problem with this. What my question is, is
whether or not we've gone about it the right way. We're
spending a ton of money paying doctors to put records online.
They have plenty of money to put records online themselves, but
we're going to pay them to do it. They are some of the highest
earners in our country, and yet we've decided we're going to
subsidize their computer and their software program for it.
So I look forward to the statements. I have a real concern,
both for the privacy issue, but also the goal that we're trying
to accomplish may not be accomplishable. There are always going
to be people that will go around it. Just ask our Defense
Department with China right now, ask our private companies with
China right now, the hacking that's going on, the very
sophisticated people that are going to try. They've got to get
into my office to get it when it's on a piece of paper. They've
got to get into my office. So maybe we ought to re-think some
of what we're doing, both in terms of privacy, but also cost.
Mr. Chairman, thank you.
Senator Franken. Thank you, Senator Coburn. I'm sorry that
you missed the beginning of my statement. I was talking about
how HCMC, Hennepin County Medical Center, which is just a few
blocks from my home in Minnesota, benefited from the use of
electronic health records in the aftermath of the 35W bridge
collapse. We will have this discussion. You will hopefully be
able to stay for some of the second panel and ask your--I'll
certainly yield to you to ask questions before you have to
leave before anybody else.
With that, I'd like to now introduce our first panel of
witnesses. Loretta Lynch is the U.S. Attorney for the Eastern
District of New York. Ms. Lynch is a member of the Health Care
Fraud Working Group of the Attorney General's Advisory
Committee. In fact, the Health Care Fraud Prevention and
Enforcement Action Team in her district has brought major cases
involving Medicare and health insurance fraud. Prior to this
position she was a partner at a law firm in private practice.
Ms. Lynch received her law degree and bachelor's degree at--
it's pronounced Harvard.
Leon Rodriguez is the new Director of the Office for Civil
Rights at the Department of Health and Human Services. As
Director of the office, Mr. Rodriguez oversees enforcement of
HIPAA and the HITECH Act. Prior to his post at HHS, he was
Chief of Staff and Deputy Assistant Attorney General for the
Department of Justice Civil Rights Division. Mr. Rodriguez
received his law degree at Boston College and his undergraduate
degree at Brown University.
Thank you both for being here today. Why don't we start
with Ms. Lynch.
STATEMENT OF LORETTA LYNCH, U.S. ATTORNEY FOR THE EASTERN
DISTRICT OF NEW YORK, U.S. DEPARTMENT OF JUSTICE, BROOKLYN, NY
Ms. Lynch. Thank you, and good afternoon, Mr. Chairman,
Ranking Member Coburn, and Members of the Subcommittee. Thank
you for the opportunity to join our partners at the Department
of Health and Human Services in discussing the enforcement of
Federal laws protecting patient medical records.
As U.S. Attorney for the Eastern District of New York, and
as you've heard, a member of the Health Care Fraud Working
Group of the Attorney General's Advisory Committee, I can tell
you that patient privacy is of utmost importance to the
Department of Justice.
Strong privacy protections help ensure that patients are
candid with their health care providers about their medical
needs. For patients, the public disclosure of personal medical
details can lead to profound humiliation. Breaches of medical
privacy can also result in financial losses, in the millions of
dollars, to government and private health care plans.
Protecting patient health records is especially critical as
our country tries to reduce health care costs by promoting the
use of electronic medical records. Through the Health Insurance
Portability and Accountability Act, or HIPAA, as recently
strengthened by the HITECH amendments, Congress has provided
three distinct tools to enforce HIPAA's protections: first, HHS
is empowered to impose civil monetary penalties; second, State
attorneys general can initiate civil proceedings for injunctive
relief and financial penalties; and third, the Department of
Justice can investigate and prosecute violations of HIPAA's
criminal provisions.
In order to carry out the multi-tier enforcement system
developed by Congress it is essential that the agencies
enforcing HIPAA act together in a coordinated manner.
Currently, the FBI routinely coordinates potentially criminal
HIPAA violations with the Office for Civil Rights for HHS. HHS
has an established process for receiving complaints of
potential HIPAA violations from the public and also receives
information about potential violations through self-disclosure
from health care providers.
HHS forwards to the FBI all HIPAA complaints or disclosures
which may involve criminal violations of the statute. If the
local U.S. Attorney's Office determines that the particular
matter is not appropriate for criminal prosecution, HHS OCR can
then determine whether to assess a civil monetary penalty.
The Department also prosecutes a number of cases which may
involve breaches of medical privacy but which come to the FBI
or the Department through other referral methods such as
complaints of identity theft or Medicare fraud. The smaller
subset of medical record privacy breaches that warrant DOJ
criminal enforcement generally tend to fall into one of three
fact patterns.
First, we've prosecuted criminally when medical records and
identities were stolen to commit massive health care frauds.
These cases caused grave societal harm, both because the
patients' historical medical and insurance records are
corrupted, and also because there are often massive losses,
profoundly draining precious health care payment resources.
Recently, the Department charged 73 defendants, alleged
members of an Armenian-American organized crime enterprise,
involving more than $163 million in fraudulent Medicare billing
in 25 States. The scheme was allegedly accomplished through the
theft of the identities of the doctors and thousands of
Medicare beneficiaries. That indictment included RICO charges
predicated upon identity theft and credit card violations.
Second, we prosecute when medical records are stolen for
the purpose of embarrassing particular patients, for example,
to sell the records of a celebrity patient to a media outlet or
to extort ransom payments to avert the disclosure of customer
health records. An administrative assistant at the UCLA Medical
Center pleaded guilty to illegally obtaining celebrity health
records after receiving thousands of dollars from a media
outlet.
In September 2009, an Indianapolis defendant was sentenced
to three years in prison for stealing health insurance records
of over 900,000 individuals. The defendant had threatened to
publish this personal information and confidential medical data
on the Internet unless each victim insurance company paid him
$1,000 per week for four years.
Finally, we bring criminal cases where the ultimate motive
is to steal patients' identities to commit financial fraud.
When the conduct rises to the level meriting a criminal
prosecution, we are fortunate to have a variety of criminal
statutes to address the various fact patterns that we see in
the medical records privacy cases.
In addition to the HIPAA criminal provision, the
Department's prosecutors can utilize health care fraud
statutes, unlawful computer access statutes, identity theft
statutes, and conspiracy statutes, and we are extremely
appreciative of Congress' support in providing each of these
tools.
Mr. Chairman, thank you for inviting me here to testify
today, and I am pleased to answer any questions that you may
have.
Senator Franken. Thank you very much, Ms. Lynch. Your
complete written testimony will be made part of the record.
[The prepared statement of Ms. Lynch appears as a
submission for the record.]
Senator Franken. Mr. Rodriguez, you have about five minutes
or so.
STATEMENT OF LEON RODRIGUEZ, DIRECTOR, OFFICE FOR CIVIL RIGHTS,
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES, WASHINGTON, DC
Mr. Rodriguez. Good afternoon, Chairman Franken, good
morning, Ranking Member Coburn, and good afternoon Senators
Whitehouse and Blumenthal. Thank you very much for having me
before the Committee today. It is an honor to be here and to
talk about the important work that the Office for Civil Rights
does in enforcing the HIPAA statute and the HITECH statute.
I'd like to focus in my oral remarks on the new authorities
that we have under the HITECH statute and the direction that I
expect my office will be taking in the years to come.
As the Chairman has observed, the HITECH statute created
significant new requirements and authorities in the privacy and
security realm. The first of these is the breach notification
rule which has been in effect as an interim final rule since
2009. We have received a number of notifications during that
time of significant breaches of health information.
One of the things that is notable about many of those
breaches--in fact how low-tech they are--in many cases the
breaches involve theft or loss of actual hard items, such as
laptops or Blackberries, in addition to the expected hacking,
improper access to health information. So our experience under
the breach notification rule has been an important pathway for
us to identify and then develop means to close some of the real
vulnerabilities that exist in the area of health information.
Another notable element of our experience with the breach
notification rule, and it's also borne out in our larger
enforcement program, is the degree to which business associates
are the source from which protected health records are
compromised. So it is an important part of the HITECH statute
that authorized us to, and we are currently working diligently
on regulations that will help us initiate our enforcement in
this area, given that many of these records in fact come from
business associates.
Now the HIPAA requirements will be extended directly to
business associates, whereas before only covered entities were
subject to those requirements, who were then required to extend
those requirements via contract to business associates.
Finally, and most importantly, the HITECH statute has given
us much increased penalties for violations of the privacy and
security rules. So whereas before the maximum penalties were
capped at $25,000 per year, for identical violation, we are now
in an environment where those penalties are capped at $1.5
million per year, for identical violation, giving us a very
strong enforcement tool with which to police these issues.
In fact, you've seen the very beginnings of that policing.
You've seen our case against Massachusetts General Hospital, a
teaching institution in Boston, where loss of protected health
information exposed a number of other vulnerabilities and
deficiencies in the manner in which the hospital maintained its
protected health information.
In the case of our enforcement, which is covered in detail
in our prepared remarks, against CVS and Rite Aid, you had a
situation where hard-copy records were placed in the dumpster.
We talk about the vulnerabilities that are out there, and it
could not be more prosaic than that. Hard-copy records were
placed in the dumpster, potentially exposed to having people
see incredibly detailed, incredibly personal health information
of their neighbors.
In these cases we've seen fines range from a million to
millions of dollars, so pretty significant fines. I am the
first Director of the Office for Civil Rights to come to the
office with experience, both extensive experience in law
enforcement and as a health provider lawyer. It is my
commitment to really ramp up the enforcement of the office in
the months and years to come and to have us in a place where
these examples that I've talked about are just the beginnings
of our enforcement in this area.
Additionally, under HITECH, we are in the middle right now
of an audit pilot where we will be auditing for compliance with
the privacy and security rules as many as 150 entities. This
will show us where a number of vulnerabilities may exist and
also provide us necessary information as we shape our permanent
audit program. Finally, in this area, we have been involved in
extensive collaboration with State attorneys general in the
area of privacy enforcement.
It's a pleasure to be here today and I look forward to
answering your many questions.
Senator Franken. Thank you, Mr. Rodriguez. Again, your
remarks will be in the record for whatever I told Ms. Lynch.
[Laughter.]
Mr. Rodriguez. OK.
[The prepared statement of Mr. Rodriguez appears as a
submission for the record.]
Senator Franken. I would note, as you said, that there has
been a ramp-up in enforcement, but I'm going to probably be
focusing some of my questions here on some of the--and asking
for explanations of some lack of enforcement.
I want to definitely be able to get through this panel. I
hope that the Ranking Member can stay for some of the testimony
of the next panel just to hear, because I think that while
today we're talking about privacy and some of the problems that
we've had in this, I think that both Ms. McGraw and Ms. Myrold
will be speaking--especially Ms. Myrold who works at HCMC--to
some of the benefits that we've had from electronic health
records. For example, that file that the Ranking Member held up
that would be in his office on one of his patients who is
wonderfully taken care of by him, if it was the middle of the
night in Oklahoma--I'm sorry. What town in Oklahoma are you
from?
Senator Coburn. It's on a need-to-know basis.
[Laughter.]
Senator Franken. OK.
Senator Coburn. I'm an Okie from Muskogee.
Senator Franken. OK. OK. Oh, you're from Muskogee?
Senator Coburn. Yes.
Senator Franken. OK. Well, I didn't need to know that.
[Laughter.]
Senator Franken. But now I do. OK.
Well, let's say you are asleep in your home in Muskogee and
somebody--one of your patients was in Vienna. So there.
[Laughter.]
Senator Franken. Now, the point is if that their electronic
health records were available, it might be helpful. That's my
only point.
So let's go with the questions. Mr. Rodriguez, since 2003
when the privacy and security rules became enforceable, the
Department of Health and Human Services has received over
64,000 complaints from consumers for alleged violations of the
rules; about 22,500 of those were against entities that HHS had
the authority to investigate.
Of those 22,500, HHS has secured one civil monetary penalty
and only six other monetary settlements. I know a large part of
this is your Department's policy of trying to get businesses to
voluntarily comply with health regulations rather than fining
them, and I generally think that's a good thing. I also know
that again, in the past year, HHS has increased enforcement by
a lot. But these figures seem quite low. How would you explain
them?
Mr. Rodriguez. Sure. I think, Senator, first of all, I
think you've identified what the--correctly identified what has
been the Department's policy until HITECH was passed, which was
to give covered entities under investigation the opportunity to
implement corrective action, and that would serve as a basis
for resolution of those cases.
HITECH has changed the environment significantly in two
ways. The first is there no longer is a hard requirement that a
covered entity be given that opportunity. We will still do it
in many and most cases, but there is not necessarily a hard
requirement that a covered entity be given that opportunity to
implement corrective action before we move to penalties.
The other thing that HITECH has done is that it has
dramatically increased the penalties, particularly for those
entities that have engaged in wilful neglect of their
obligations under the privacy and security rules. So, I think
that's the reason why that has occurred historically. As I
said, I think you have witnessed what are essentially the
beginnings of the change in that environment.
Senator Franken. I think one of the problems is that there
are a lot of important regulations that HHS has yet to finalize
in order to implement the protections of the HITECH Act. For
example, HHS has yet to issue final enforceable regulations for
the Business Associate Rule, and we were talking about business
associates here, which requires contractors and consultants
that receive health information to protect it, much in the same
way that hospitals and insurers already have to.
This is a really big problem because the whole purpose of
the HITECH Act was to plug the holes left by HIPAA. But those
holes aren't plugged because the regulations have been delayed.
When do you anticipate issuing the Business Associate Rule and
other remaining rules in final form? It's been two and a half
years since the act was passed. Go ahead.
Mr. Rodriguez. I certainly agree, Senator Franken, that the
proposed Business Associate Rule really does plug what is a
considerable hole in the privacy and security enforcement
architecture. What I can tell you, Senator, is that we've
received extensive comments on both the business associate
proposed rule and a number of other provisions under HITECH,
that we have worked diligently to analyze those comments and to
prepare regulatory text based on our analysis, and we are
working as diligently as we can toward a final rule. I can't
give you a timeframe at this time.
Senator Franken. OK. Well, hurry up.
Ms. Lynch, HHS has referred to DOJ 495 cases for potential
criminal prosecution since 2003, but the Department has
informed my office that DOJ has prosecuted just 16 individuals
for criminal HIPAA violations. My understanding based on your
testimony is that DOJ prosecutes a large number of medical
privacy cases under other criminal statutes for things like
identity theft or wire fraud. Can you tell me how many of the
495 cases referred by HHS DOJ has prosecuted under a statute
other than HIPAA? Is that something you know?
Ms. Lynch. Well, actually--and thank you for the question,
Senator. I think I would not be able to give you a specific
numerical answer on that, in large part because of the
different way in which cases are tracked from an HHS referral
to the way a case is opened up within the U.S. Attorney's
Office.
In particular, once we charge a case, if we were to use
another statute--for example, identity theft or a computer
intrusion statute--if that were our lead charge it would be
recorded in that way. We wouldn't necessarily see the HHS
connection. So I do think that unfortunately the numbers that
you have are not reflective of the entire picture of what the
Department is doing in relating to medical privacy cases in
general, because those cases actually are ongoing.
We do still receive referrals again through the process,
through the pipeline from HHS, through the FBI, after their
review, sending a subset over to us. I would say that in terms
of those overall cases we're charging around 10 a year, some
up, some down. We're obtaining convictions of around 10 a year,
again, some up, some down depending upon the year, and these
are often of multiple defendants for cases involving not just
HIPAA, but these other statutes as well.
Senator Franken. OK. Thank you. I just want to note that
that was a very straightforward answer, and thank you for it.
Based on the first part of the answer it seems because of the
way you track this, it's impossible for you to really give me a
definitive answer. Perhaps we could work together to try to
find a way to change the tracking so that we could do our due
diligence in terms of oversight in seeing how this is working.
Ms. Lynch. Absolutely. I think the Department is eager to
work with staff of this Committee, to work on ways to improve
that and to provide you the information that you need because
there are a lot of cases out there.
Senator Franken. Thank you very much.
The Ranking Member.
Senator Coburn. Well, thank you both. Very enlightening
testimony.
Let me go through the three main areas for you all: fraud,
extortion, and patient identity theft. Correct? Patient
identity theft. That was your testimony. That's the main three
areas. Which is the largest area?
Ms. Lynch. At this point, again, without having the
specific numbers in front of me, but knowing of the extensive
efforts we're doing particularly in Medicare fraud, I would
probably say the fraud area is the largest. But again, it's
going to encompass a lot of different types of activities.
Senator Coburn. And in cases involving HIPAA medical
records, in your office in New York, how many cases have you
all prosecuted?
Ms. Lynch. I'm aware of one--one or two that we currently
have going on. We also have a civil matter that's been settled.
Again, we focus a lot on the Medicare fraud of it--aspects of
it--and we may not in fact include the HIPAA statute all the
time because the nature of the case, the facts may lend
themselves to a different type of charge.
Senator Coburn. You're going to prosecute where you can get
the greatest amount of success and relief, correct?
Ms. Lynch. Correct. Particularly relief. Correct.
Senator Coburn. We know that the HITECH and HIPAA
regulations in terms of using those laws to prosecute Medicare
fraud and identity theft. What do we have in terms of the
utilization to prosecute the misuse of a Medicare patient's
Social Security number or a Medicare provider's billing number?
Ms. Lynch. Well, I think----
Senator Coburn. Because that's where the fraud is.
Ms. Lynch. Yes. Absolutely. Well, the health care fraud
statute has been a very successful tool for us, working in
conjunction with HHS, in prosecuting large numbers of
defendants for that. The cases in my testimony that were
recently brought down, but also under the A teams which are
located in several offices, mine included, we've done a number
of those cases where patient data is used, sometimes illegally
obtained, sometimes, sadly, obtained from patients who are
involved in the fraud. But at this point in time, the health
care fraud statute would be one, and then after that, identity
theft.
Senator Coburn. Would you think that increasing the
penalties in terms of utilizing patients' Medicare and Social
Security number or provider number would be beneficial in your
all's effective carrying out of the law?
Ms. Lynch. I think that right now--thank you for that. I
think that right now we have a very effective framework of
that. We would certainly welcome the opportunity to work with
you on adjustments that could be made. If you're thinking in
terms of the HIPAA penalties, there's a three-tier system, as
I'm sure you're aware, of penalties.
Senator Coburn. I'm thinking of raising the penalties for
intentionally selling Medicare provider numbers or Medicare
Social Security numbers, patient numbers or provider numbers,
because that's where we see a lot of this in terms of the
multitude of layers of fraud in terms of false billing to
Medicare.
Ms. Lynch. Right.
Senator Coburn. Mr. Rodriguez, what do you all do right now
to educate people that are under your purview to bring them up
to speed with your new regulations and compliance? Since you're
a little stronger now in terms of trying to get the
enforcement, what are you doing to educate?
Mr. Rodriguez. There are a series of activities in which we
are engaged, and I very much appreciate the question. To begin
with, our Web site contains extensive information, both on the
original HIPAA requirements and then the new HITECH
requirements, and they're readily accessible to any health
provider who wishes to educate themselves on those
requirements.
In addition, we have an extensive media campaign where we
talk about the requirements, particularly in publications that
target the health care industry. We also make our staff
available extensively to speak to health industry groups in
order to convey the requirements under the statute. This is an
area to which I am personally very committed. It is my
intention to continue and intensify where necessary these
education efforts.
Senator Coburn. OK.
Thank you, Mr. Chairman.
Senator Franken. Thank you.
Senator Whitehouse.
Senator Whitehouse. Thanks, Chairman Franken. I thank the
witnesses for attending.
The flip side of the privacy issue with respect to your
responsibilities is the opportunity that electronic records
provide for investigative purposes. Senator Coburn and I were
allies in a long battle to get the Drug Enforcement
Administration to get off its insistence on paper records.
And I can't speak for Senator Coburn, but what frustrated
me was that I knew that there was some old DEA agent someplace
who could remember making a case and sitting there with the
paper records and thinking that that was what had to be
protected, when in fact you can do an enormous amount of good,
particularly with prescription abuse, which is exploding in
this country right now, if you could get information as to what
the peculiarities are with the dispensation of, particularly,
controlled pharmaceuticals.
So if a doctor goes from zero bottles of Vicodin a week to
500, or if the same Medicare or billing number ends up getting
controlled substances at five different doctors, that gives a
wonderful opening to law enforcement to be able to focus its
resources on areas that are going to be productive.
I'm wondering what your experience has been with the
utility of electronic prescription records, Medicare billing
records, and other data sources at targeting law enforcement at
the real miscreants in this area, and how vulnerable you think
the process that de-individualizes that data so that people can
look through it without necessarily knowing who the individuals
are associated with that data, how effective that de-
individualization is, and what its weaknesses are. I'll ask
both of you the same question.
Ms. Lynch. Sure.
Senator Whitehouse. U.S. Attorney Lynch first.
Ms. Lynch. Thank you, sir. I'm sorry, I didn't mean to jump
the gun there.
Senator Whitehouse. No, go ahead.
Ms. Lynch. Thank you. I appreciate the opportunity to talk
about that, because in fact what you have just described is an
important part of our current health care fraud prosecution
strategy. Through the A team, as I mentioned, we do a lot of
work both with the FBI and with HHS Office of Inspector
General, particularly in New York, at looking at fraudulent
billing cases.
As I mentioned to the Ranking Member, some of these involve
the misuse of patient data and some of them involve simply
false billing for non-existent services. In recent years, the
improvement, I should say, in the real-time tracking of
Medicare billing through upgrades to the HHS system has been
invaluable to us in letting us see exactly the types of shifts
that you are referring to.
In the metropolitan New York City area, for example, we are
able to look now and see data that is less than one month old
as opposed to having to wait for, as you mentioned, the paper
records or even a slower computer record that could be months
old. By that time, a clinic that is giving out a lot of false
billings could have folded up and moved on by the time we found
our way to it. Using the exact kind of data that you mentioned,
much more real-time analysis enables us to use other
investigative tools.
In a case in my district last summer, we used extensively--
we used undercovers. After getting some informant information,
we used undercovers to go into a clinic that was billing in
Brooklyn, and because of what we saw in there, we were able to
marry that with the data showing a spike in billings that we
felt were fraudulent and we were able to obtain court-
authorized electronic surveillance of that particular clinic
and arrest not only doctors but also some patients who, sadly,
were participating in the scheme. They were elderly patients
being paid to turn over their numbers there. So that's a little
bit different from the theft of the information. There, people
are basically providing it.
Senator Whitehouse. Let me jump in for the last couple of
seconds to ask Mr. Rodriguez to respond also.
Mr. Rodriguez. Sure. First of all, as a former health care
fraud prosecutor, and including one who has worked on many drug
diversion cases, I full well know the seriousness of the
problem that you've identified, Senator. We see in many of the
health care privacy cases very often there is also, as U.S.
Attorney Lynch has identified, sometimes a component of either
a health care fraud or drug diversion that actually initiates
those cases rather than them coming in as privacy complaints.
In fact, they start on the health care fraud or drug diversion
side of the house. So it's a very real problem that you've
identified. We collaborate with prosecutors in cases where
those sorts of issues have been identified.
Senator Whitehouse. My time has expired. Thank you, Mr.
Chairman.
Senator Franken. Thank you for your questions, Senator.
Senator Blumenthal.
Senator Blumenthal. Thank you, Mr. Chairman. Thank you both
for being here.
I want to ask you about the gaps in HIPAA health data
protection. I speak as an author of one of the bills that had
been reported out of this Committee, S. 1535, the Personal Data
Protection and Breach Accountability Act. There are three
bills, and that bill is one of them. Of all the data breach
bills currently being considered by the Senate, my proposal is
the only one that explicitly protects health information. All
three bills allow ``covered entities'' regulated by HIPAA to
continue to be governed by that regime, but only the bill that
I have authored, S. 1535, explicitly extends its protections to
health data held by companies that are not currently covered by
HIPAA.
So my question to both of you is, what types of entities
hold health data that are not covered by HIPAA, and do you
think it's important to ensure that that health data held by
third-party companies not covered under the current law also be
protected, that they be required, in fact, as the bill would
do, to take steps to protect it against theft or other kinds of
breaches and the other kinds of protections--for example,
remedies, insurance, notification, and so forth--that the laws
would provide?
Mr. Rodriguez.
Mr. Rodriguez. Yes. Thank you, Senator Blumenthal, for that
question. As you know, the HIPAA statute really covers three
types of what we call covered entities: health care providers,
health plans, and health care clearinghouses. Health providers
are defined as those health providers that transmit certain
standard health information transactions electronically.
Excluded from that definition can be providers who don't
transmit health information transactions electronically,
typically, for example, in a private-pay sort of enforcement.
So there clearly are health care providers out there who are
not currently subject to the HIPAA statute.
Having said that, it is our sense that the HIPAA statute
does cover the vast majority of health care business that
occurs in the United States.
Senator Blumenthal. What about the other two categories
besides the providers?
Mr. Rodriguez. Again, if you fall outside of those three
definitions, which include health plans, exactly what the name
suggests, or health insurance plans, and health clearinghouses,
which are entities that take non-standard health information
and convert it to standard information, typically for billing
but also potentially for other purposes. There are clearly
other sorts of entities outside of those definitions that have
health information and are not currently covered by the HIPAA
statute.
Senator Blumenthal. Would you recommend to the Senate and
the Congress that it extend those protections to entities not
covered currently by the HIPAA statute?
Mr. Rodriguez. We certainly would be very willing to work
with the Senator and his staff, providing technical assistance
on that bill. I'm not permitted to specifically endorse a
particular----
Senator Blumenthal. Well, is there a reason that you would
recommend against it? In other words, why shouldn't those same
protections be extended to those other entities that have
possession of this same kind of sensitive and confidential
information?
Mr. Rodriguez. No. And I would suggest the way--we would be
most pleased to work with the Senator and his staff on that
bill, on providing technical assistance in your work on that
bill.
Senator Blumenthal. Thank you.
Did you have a comment, U.S. Attorney Lynch?
Ms. Lynch. No. Just to echo what Mr. Rodriguez said, I
think the Department would also look forward to working with
the Senator on looking at those issues as well.
Senator Blumenthal. Thank you.
In the short remaining time I have left, I would like to
ask whether you are satisfied that there have been sufficient
criminal prosecutions under the HIPAA statute. I know that some
may have been--some cases may have been recommended for
prosecution, but not actually done.
Mr. Rodriguez. Actually, the health privacy environment
reminds me very much of the health care fraud environment in
which I worked for a significant portion of my professional
life. The trend that we saw in the health care fraud
environment is a large number of criminal cases and a large
number of civil cases where, for example, the False Claims Act
and other authorities provided really significant monetary
penalties to police health care fraud, and very often in many
cases those monetary penalties were really the right approach,
the right hammer, if you will, to policing health care fraud
issues. I think the health privacy environment is very similar.
While there is a certain layer of cases that do merit
criminal sanctions, in my view, where the real frontier is, is
in our leveraging these new, stiff penalties that we have under
the HITECH statute and expanding our utilization of those
penalties.
Senator Blumenthal. You're talking about civil penalties?
Mr. Rodriguez. Yes, sir.
Senator Blumenthal. And why not criminal penalties?
Mr. Rodriguez. Because our experience is that many of the
cases that we see, in terms of the complaints that we receive,
point to not cases of intentional disclosure of protected
information for the sorts of criminal reasons that U.S.
Attorney Lynch identified, but rather wilful neglect to follow
the obligation by a covered entity to follow the obligations
that the law imposes.
Senator Blumenthal. My time has expired but I want to thank
you both again for your being here and for your very helpful
testimony. Thank you.
Senator Franken. All right. Yes. Thank you, Senator.
The Ranking Member has to leave, but we will extend to him
the opportunity to ask questions for the record. I also want to
thank U.S. Attorney Lynch and Mr. Rodriguez for your testimony,
and you are now excused. You can go.
We will proceed to the second panel of this hearing. I
would like to introduce our second panel. We have Kari Myrold,
who is the privacy officer of Hennepin County Medical Center in
Minneapolis, again, about five or six blocks from my home
there. It's a great, great hospital.
As privacy officer, Ms. Myrold oversees the implementation
and use of electronic health records and ensures HCMC's
compliance with State and Federal privacy laws and ensures that
patient records are private and secure. Ms. Myrold received her
law degree from Hamline University in St. Paul and her
undergraduate degree from St. Cloud State University in St.
Cloud, Minnesota. Welcome.
Deven McGraw is the director of the Health Privacy Project
at the Center for Democracy and Technology. Ms. McGraw was
recently appointed by Secretary Sebelius to serve on the Health
Information Technology Policy Committee. Prior to this, she was
the chief operating officer of the National Partnership for
Women and Families. Ms. McGraw received her undergraduate
degree at the University of Maryland, her Master of Public
Health from Johns Hopkins, and her law degree in LLM at
Georgetown University Law Center.
Thank you, Ms. McGraw, thank you, Ms. Myrold, for joining
us. Your complete written testimony will be made a part of the
record, and you each have five minutes or so for any opening
remarks you would like to make.
Ms. Myrold, please go ahead.
STATEMENT OF KARI MYROLD, PRIVACY OFFICER, HENNEPIN COUNTY
MEDICAL CENTER, MINNEAPOLIS, MN
Ms. Myrold. Mr. Chairman and Senators Whitehouse and
Blumenthal, thank you for the opportunity to appear on behalf
of Hennepin County Medical Center as a provider in this hearing
with regard to the electronic health record and privacy rules.
Although Hennepin County is a very fascinating facility, I
could tell you lots of things about it, I am here really to
speak to one of those things in particular. However, to put it
in perspective, I would like to let you know that Hennepin
County Medical Center is a 477-bed hospital with six primary
clinics and a number of specialty clinics. It also is a
teaching facility and is noted as Minnesota's premier Level One
trauma center, both for adults and pediatrics.
In 2002, Hennepin County Medical Center embarked upon a
journey to implement an integrated electronic health record. We
had siloed applications. Say you had an application coming out
of the neonatal unit, one out of radiology, and maybe one out
of the emergency department. Hennepin County Medical Center
decided to integrate both the patients' records throughout the
facility as well as include the revenue cycle management
system.
Hennepin County Medical Center's goals in doing this were
to enhance the patient experience, improve the quality of care
and patient safety throughout the facility, support research
and education, and sustain the organization. Although
improvement is ongoing in the electronic health record, there
are always updates to be made.
Hennepin County has actually achieved these goals,
including adding certain modules such as Care Everywhere, which
is our software provider's application for the health
information exchange within our metro area, and that actually
is done with patient consent that we provide that opportunity
for patients and other providers to be able to treat patients
throughout different facilities.
We also have added a mychart module, which is really the e-
patient chart access where a patient can logon, schedule their
own appointments, check their lab results, and view their own
record. Then, most recently, we added a Carelink module, which
is for our community users, so instead of faxing or delivering
an inch of paper to, say, a long-term care facility, what we
can do now is we train and provide access for one or two
individuals from that facility, that's one example, for a
discharge from one of our units. So that long-term care
facility access person can then determine whether or not that
would be an appropriate placement upon discharge for that
person.
Then through performance and improvement of our electronic
health record, I would just like to note that Hennepin County
Medical Center has actually achieved Stage Six on a 0 to 7
scale through the Health Information Management System Society
adoption model, and really that is--we're working toward Stage
Seven in 2012, and that's the top. Only one percent of
hospitals nationwide actually achieve Stage Seven.
Also, in fulfilling one of our goals that I mentioned
earlier, in being able to capture and measure data, Hennepin
County Medical Center was an early attester to meaningful use.
We have actually received our first payment and that was
actually over $1 million. That was in August of 2011. Only 10
percent of hospitals at that point in time had achieved that
status.
Hennepin County Medical Center is a public subsidiary
hospital; therefore we were subject, long before HIPAA, to the
Minnesota Government Data Practices Act. Minnesota was,
therefore, a little bit advanced with regard to privacy rules.
We also are subject to accreditation standards through the
Joint Commission; they have an information chapter, and through
that we have to make sure that we provide privacy and security
for our patient data. And then along came HIPAA, and then, of
course, HITECH.
Chairman Franken has already indicated the critical example
we had of testing our first test case with the electronic
health record in the tragic collapse of the 35W bridge. Along
with using the patient health record, we also tested that for
auditing of staff access with regard to privacy violations.
There are a number of areas where I can see improvement
necessary throughout the rules, and some of those might be that
model policies and procedures could have been included with
regard to the rules. There are a number of organizations who
apply policies inconsistently, and when you do have a question
or investigation with the OCR, one of the first things they're
going to be asking you for is your policies.
They have been very cooperative in assisting you in
modifying any that you might need, but there's a lot of time
and attention given to these in advance and I think models
would have helped in that regard. Business associates, data
breach notification, expanding the definition of a covered
entity, encryption, and then accounting of disclosures are
other areas where I certainly can see that we could make
improvements.
Thank you.
Senator Franken. Thank you very much, Ms. Myrold.
[The prepared statement of Ms. Myrold appears as a
submission for the record.]
Senator Franken. Ms. McGraw.
STATEMENT OF DEVEN McGRAW, DIRECTOR, HEALTH PRIVACY PROJECT,
CENTER FOR DEMOCRACY AND TECHNOLOGY, WASHINGTON, DC
Ms. McGraw. Thank you very much for the opportunity to
testify. I want to start by saying that people like Ms. Myrold
and her colleagues at the Hennepin County Medical Center and
others across the country who are adopting electronic medical
records and proving that they can actually be a big difference
in how health care is delivered in our country, both in terms
of cost and quality, they're really the reason why I do this
work.
The public, when you survey them, is very supportive of the
commitment we're making to health information technology. We
are already starting to hear about some promising results, and
I think we're going to hear more in the very near future.
At the same time, we know that the public consistently
expresses a concern about the privacy and confidentiality of
their digital health records, and for good reason. The amount
of breaches that we see are one reason why people are
concerned, but for about a quarter of the population, based on
survey data, these privacy concerns are going to cause us to
withhold information from our health care providers because
we're not confident that that information will be kept
confidential, or we might not be truthful about our
circumstances, or we might decide not to seek care at all.
That's a problem. Even though it's only for about a quarter of
the population we don't want to leave them out of the
revolution that we're trying to seed.
Then for the rest of us who may not exercise concerns to
that degree, it's still going to jeopardize our trust in the
electronic health record system that we're trying to create and
our willingness to support it, quite frankly, with taxpayer
dollars.
So clearly Congress recognized that this was an important
issue to address and in the stimulus legislation there are a
number of really important changes to the HIPAA privacy and
security rules, and we supported each and every one of them.
But making actual progress in terms of implementation, as has
been pointed out, has been agonizingly slow and we wish that
were not the case.
So I just want to use the few minutes I have to try to cram
in some of what's in my written remarks, but I'm glad to hear
the rest of it will get in.
As has already been emphasized, we need the regs. We really
need the regs. Give me the regs. You know, Congress--you wanted
these provisions to go into effect a year post-enactment, and
here we are almost three years later and we don't have most of
them.
We know that the administration can act promptly when it's
a high priority. We saw the regulations for the Medicare shared
savings program finalized within five months of being proposed.
I guess I just don't understand why this takes so long. I
recognize that it's not just in the hands of the Department of
Health and Human Services, so I guess I'll use my bully pulpit
to call on the administration to get the review done and get
them out.
The improvements in HITECH on enforcement were badly
needed, but we don't yet have a consistent, reliable
enforcement environment. I'm very glad to hear the testimony of
both of the individuals on panel one with respect to a strong
commitment to enforcement. We think it's incredibly important.
But we also are very much on board with more transparency
with respect to how HIPAA is enforced, both on the DOJ and the
HHS side. Summary statistics don't really tell you very much
about what's really going on in the field in terms of
compliance with HIPAA, and particularly where the Department is
likely to continue to try to seek voluntary corrective action
on the part of institutions.
And I agree, this is not a bad idea per se, but I
personally would like to know more about the circumstances
under which voluntary correction is sought. Are there any
patterns to it? Is there a need for us to provide more guidance
to the field or to enforce in more areas?
HIPAA does not protect all health data. Senator Blumenthal,
you pointed this out in your questions. It only covers certain
types of health information held by certain entities in the
health care system. It covers some things, but not other
things.
Health data is rapidly migrating out of the traditional
health care system, mostly because it's increasingly being
shared by consumers online. Eighty percent of people who are
online do searches for health information and there are
presumptions made about them based on those searches that often
result in them being targeted for ads. But that was the subject
of another hearing.
But personal health records offered by internet companies,
social networking sites like Facebook and those that are
dedicated to specific diseases, none of that data is going to
be covered by HIPAA. Congress took care of breach notification
for personal health records, but beyond that there are no other
protections in law beyond what these companies might commit to
doing in their privacy policies, if they make any such
commitment at all.
If they breach a commitment, then the Federal Trade
Commission can hold them responsible. If they don't make a
commitment or they make a vague commitment, we don't really
have the sort of comprehensive set of rules that we do have on
HIPAA-covered entities and we need it.
I guess I'll squeeze in, last, regulations on business
associates, downstream contractors. They are important source
of health care data. As was pointed out by Mr. Rodriguez, the
subcontractors have been a big part of the breach problem. He
says we need the HIPAA regs to provide the enforcement on
business associates right away. But it also needs to be very
clear that a contractor gets data for a specific purpose and
should be limited in how they use that data to accomplishing
that purpose, and we're not quite there yet.
So I'll stop and be happy to answer your questions. Thank
you again for the opportunity.
Senator Franken. Thank you, Ms. McGraw.
[The prepared statement of Ms. McGraw appears as a
submission for the record.]
Senator Franken. Thank you, Ms. Myrold, for your testimony.
I'm sure that a lot of what you have in your written testimony
that you didn't get to, you'll be able to get to via these
questions.
Ms. Myrold, the Hennepin County Medical Center has made
significant investments in electronic health records. You made
that clear. At the same time, it's made a big investment in
policies and technologies that will protect patient privacy.
Why is--and I think Ms. McGraw spoke to this--patient privacy
so important in health care? How does it affect treatment?
Ms. Myrold. Well, I think, number one, patients need to be
comfortable and confident, have confidence in their providers,
so that when they're in there seeking treatment they want to
make sure that they're able to disclose everything that they
need to disclose in order to get the right treatment. Having
that confidence means that their information is going to be
protected.
Reputations are harmed. Over and above all, a provider is
also a business. So if you want to maintain your patient base
and attract more patients, you want to make sure that you're
not one that's in the headlines breaching patient information.
So it's sensitive data and the right thing to do is make sure
that you protect that data. There are also mandates, of course,
that we have to comply with.
Then at HCMC, one of the things that we have found is that
if you're encouraging your own employees to seek care
throughout your clinics and your hospital, the first thing you
want to make sure is that those employees know that their
information is going to be protected from other employees.
Senator Franken. Thank you.
Ms. McGraw, as you mention in your testimony, HIPAA and the
HITECH Act are not comprehensive. Health information privacy
laws don't protect all health information, they just protect
certain health information when it is in the hands of certain
kinds of companies or providers. Can you give us examples of
companies that have a lot of health information which are not
covered under HIPAA or the HITECH Act, and what kinds of
information they may have?
Ms. McGraw. Sure. So just some examples of some entities,
and they're largely in the Internet space, the examples that we
know of that are getting increasing amounts of health data that
would not be covered under HIPAA, either as a covered entity as
a business associate, would be a personal health record vendor
like Microsoft's Health Vault. Google had a personal health
record product but they have since closed that line of
business. But there's a consortium of employers called Dossia
that also offers a personal health record to their employees,
and Dossia is not at all covered.
PHRs collect data from consumers that they get that they
either input themselves or that they get from their medical
providers, because they have a right to get a copy of their
health data, and so the uptake on these is low to date, but
it's increasing. It's more than doubled over the past couple of
years, and we expect it to increase.
Again, people do searches online for health data. People
are increasingly using social networking sites in order to
interact with people who have similar conditions that they do
and to share concerns about diseases and symptoms, and none of
those entities would be covered under HIPAA, yet they are
getting increasing amounts of health data, very sensitive
health data in some circumstances.
Senator Franken. If these entities aren't covered by HIPAA
or the HITECH Act, I'd like for you to tell us what kind of
protection information held by these entities have under
Federal law. Could these companies sell this information to
third parties?
Ms. McGraw. Sure. So one thing that HITECH did do for at
least the personal health record vendors was to say if you as a
PHR vendor breach data, then you have to notify the individual
and the Federal Trade Commission of the breach. But that was
the extent of the protections that are applied to this
particular part of the ecosystem. So, just the PHR vendors and
just breach notification.
So as a result, what you have is the Federal Trade
Commission's traditional authority to crack down on unfair and
deceptive trade practices. So in your privacy policy as a
company, if you say I will not sell your data and then you sell
it, then the FTC has the authority to come after you for
violating the terms of your privacy policy. But if you make no
commitments with respect to the sale of data or you say
outright, I'm going to sell your data, there certainly isn't a
law that prohibits you from doing that.
Senator Franken. Thank you. That makes sense.
Ms. Myrold, the last part. In the past, Ms. McGraw and
others have called for health care providers, insurers, and
other entities covered by HIPAA and the HITECH Act to place
tighter restrictions on the health information they share with
their business associates. My understanding is that Hennepin
County Medical Center has actually been a model in this regard
and that you place very high restrictions on what your business
associates can or cannot do with the health information they
receive. Can you describe that policy?
Ms. Myrold. Certainly. HCMC does have a very tight process.
We actually require all of our vendors to define for us which
PHI--Protection Health Information--that they are in need of,
how they are going to be using that Protected Health
Information. Basically relying on what HIPAA has as the minimum
necessary rule, we're only going to allow them access to what
it is they need in order to perform the services for us that
they're going to be performing.
If a privacy--or if a vendor is actually going to be
accessing, like I mentioned the long-term care facility
earlier, we actually provide them privacy training as well.
It's required prior to their actually accessing our electronic
health record. Then of course we also ask for them to comply
with any security requirements. We used to ask for them to pay
for a third-party vendor to get a current security assessment.
Now that was actually quite difficult for some of the
vendors, and so what we're asking for now is that even if
they've performed some kind of an internal security assessment,
we want something that's been done within that past year. So if
we're accessing through VPN tunnels, or however we're going to
be sharing data through portals, however, we're going to be
sending them information, we want to make sure that that's
secure and they have that set up within their own technology.
Senator Franken. Ms. McGraw, would you like to explain how
business associate agreements could be crafted more narrowly
and whether you think this is a change that should be pursued
through statute or regulation?
Ms. McGraw. Sure. So the way that business associate
agreement could be crafted more narrowly would be to emphasize
that the agreements have to specify the permitted uses of the
data and not--to me the regs err on the opposite side of that
question, which is to say the agreement must say what cannot be
done with the data, which means if it's not prohibited and as
long as it's within the confines of what's permissible under
HIPAA, then it can be done.
That's why we've heard some anecdotal reports of business
associates who essentially have provisions in their contracts
that say we can use this data to meet our business purposes. So
since the agreement doesn't prohibit them from using data in
certain ways, they could do so based on the contract that they
have.
I think we would much prefer to have a provision that
requires some defining of the permissible uses versus, stating
that you can do it unless it's prohibited. This is absolutely
accomplishable by regulation, but I think it's always helpful
when Congress sends a signal to the regulators about what it
would like to see. It can be accomplished from a legal
standpoint through a reg, but we certainly would not--we would
be willing to work with you on legislation that would provide a
more clear signal to the Department about what Congress wants
to see.
Senator Franken. Thank you.
Senator Whitehouse.
Senator Whitehouse. Thank you, Chairman.
Ms. Myrold, we suffer from the price of new technologies
pretty often. The casualties in automobiles are a significant
issue, but the value to the U.S. of the automobile is pretty
widely respected by everybody. With respect to health
information technology, a lot of Americans are seeing the
privacy cost of things going wrong and of private health
information escaping, but often don't have the same access to
the value of health information technology that one does from
the experience of driving a car.
I've been involved with provider groups in Rhode Island,
like the Aquidneck Medical Associates and with community health
centers like Thundermist, and nursing homes, and a whole
variety of health care providers who have had a common
experience, which is that it is a real pain in the neck to get
onto electronic health records, but once they are, they can't
possibly imagine going back to the bad old days of paper files.
I'm just wondering for the record of this hearing what your
experience has been, on balance, with the Hennepin County
Medical Center's transition to electronic health records and
more advanced health information technology. On a net basis,
how good a thing has it been? Would you consider going back?
Ms. Myrold. I don't think they'd ever consider going back.
I think that's basically because patient safety is number one.
If you have access to all the medications that a patient is on
in one chart, or if you have a number of providers that can be
accessing that chart, say consulting from one department to
another and they're looking at the same chart, that's going to
provide you much better patient care.
It was a very high cost to implement this, and like I said,
it's a public hospital, and so it's not as if there was a lot
of extra dollars there. But they chose knowing, and after going
through quite a significant selection process and design
process, that this was going to definitely aid in their
critical care of their patients.
Senator Whitehouse. Thank you.
Ms. McGraw, you came here to lobby us, but I'm going to
lobby you back.
Ms. McGraw. Oh. Oh, good.
Senator Whitehouse. The Center for Democracy and Technology
is an important voice in these issues, and I feel very strongly
that we stand to gain immense advantage from a much more robust
health information infrastructure. In the earlier panel, we
talked a little bit about the law enforcement investigative
advantage, which would not exist if it were not for that. Ms.
Myrold just talked about a patient safety advantage. I think
that the day will come fairly soon when a robust-enough health
information infrastructure will support personalized medicine
apps.
So in the same way you've got an iPhone now and you can
download an app to it, there will be competition with apps that
will help individual patients through their course of
treatment, particularly where they have chronic conditions, and
will help doctors make sure that things aren't forgotten, a
little bit the way a pilot does a checklist before take-off.
Too much of what goes wrong in health care goes wrong
because those simple, preventable things don't get done. I
think that the time will come very soon when there is enough
information out there that we will learn an enormous amount, or
perhaps even create new industries, out of looking at all that
health information and being able to figure out what's a
strange anomaly, why is that happening, why is this good thing
associated with these conditions or this bad thing associated
with those conditions, and we'll learn from that.
If we're going to do that we have to have good access to
that health information data. It has to be de-individualized.
Nobody needs to know that it's Deven McGraw's data, they simply
need to know that a person with these characteristics has this
circumstances.
Ms. McGraw. Yes.
Senator Whitehouse. So I hope that the Center for Democracy
and Technology will be an energetic advocate for the
propagation of a robust health information infrastructure,
knowing that there are these critical fault lines where
patients have to be protected not only in their individual
data, but also when it's being looked at in the aggregate. Are
you comfortable that the way that--we're adequately poised to
be able to review that aggregated data in a de-individualized
way so that privacy is not impinged by that process?
Ms. McGraw. Right. Well, we--thank you very much for that
question, Senator. We at CDT have enjoyed a very good working
relationship with you and your staff over many years. The
reason why we do this work is because we believe so completely
in the power of technology to be transformative in this regard,
and the idea of privacy is to enable that transformation, to
make sure that consumers trust it enough to be comfortable with
their data being part of it, whether it's an identifiable form,
which it needs to be in some circumstances, but much more often
it doesn't need to be identifiable.
It can be de-individualized, which I actually like that
term very much because it's different from de-identification,
which is a HIPAA term of art. We have done work in the past,
and we're continuing to do work, on issues of how you can make
sure that data is not uniquely identified to an individual but
can still--but you can still robustly use it to do comparative
effectiveness research, to examine trends, even for business
analytics.
I mean, data drives good decision making, and it should be
doing that in health care, too. So we're convinced. Whatever
more we need to do, we'd be happy to work with you on that. But
that is our central philosophy, that the technology is good.
The use of the Internet by people to improve their health is
good. We need to makes sure it's a trustworthy environment so
that everybody is comfortable in that space.
Senator Whitehouse. Good. Well, I appreciate that. I'm at
the age where I can remember before word processing, I can
remember when the Selectric typewriter was a big deal.
Certainly I can remember pre-Google. My kids, you know, look at
my description of the pre-Google environment and just say,
``Dad, you're so weird.'' They kind of don't get that there was
ever a point when we could have been so primitive that you
couldn't just Google something and, poof, there it was in front
of you.
I think that the same thing is going to happen in health
care, that we're in the pre-Google moment with respect to
personalized health care, supported by individual applications
that are supported by a robust health information
infrastructure. The time will come, I think before my kids have
kids, so that they don't have to, on this particular subject,
be told by their kids, Mom, Dad, you're so weird. But thank you
for helping that day come sooner.
Senator Franken. I was the first writer on ``Saturday Night
Live'' to get a word processor. Thank you, Senator Whitehouse.
[Laughter.]
Senator Franken. Senator Blumenthal.
Senator Blumenthal. Senator Whitehouse and Senator Franken
are so much older than I; I have no idea about those days.
[Laughter.]
Senator Blumenthal. Not.
[Laughter.]
Senator Blumenthal. But my kids still think I'm weird.
Senator Whitehouse. He did a lot of arguing in front of the
U.S. Supreme Court. When he started, the quill that they give
you was for real.
[Laughter.]
Senator Blumenthal. It's close to the truth.
I am struck, Ms. McGraw, by one of the observations in your
testimony. And let me just say, both of your written
testimonies are absolutely superb. I know that you haven't
covered all of it in your conversation with us, but I am very
grateful for it and will follow up on a number of the points.
But one of the points that struck me is your observation
that ``the health care industry appears to be rarely encrypting
data.'' You then observed, ``To the best of our knowledge, no
one has done a comprehensive study of the reasons why the
health care industry has not embraced the use of encryption.''
What possible justification can there be? Doesn't that fact
itself cry out for the kind of data breach protection with
strong remedies and enforcement and penalties if they fail to
encrypt data?
Ms. McGraw. So we clearly think it does. We thought that
providing an exception in the breach notification provision
that was enacted on both HIPAA-covered entities and for the
personal health record vendors, provided an exception for
entities that adopt encryption, would be a very strong
incentive for them to adopt encryption.
What we see from the breaches that have been reported for
HIPAA-covered entities since 2009 is that, as was mentioned
earlier, a good two-thirds of them are due to theft or loss of
media that is an attractive target for theft or is easily lost,
like the thumb drive that Senator Franken held up in his
opening statement, or laptops. Geez, how many stolen laptops
have we had? You had the number in your opening remarks. There
are a number of them. Or hard drives that either can be easily
walked out the door if nobody's looking or are inadvertently
left in computers that are being sold or given away.
So that's why I say it looks like encryption is rarely
happening. The best reasons that I've been given, just through
anecdotal remark, are it slows down access to data sometimes
and it's expensive, and it can be expensive if you're talking
about encrypting an entire server because that's a lot of data.
But it's not that expensive to encrypt a thumb drive, and
it's not that expensive at all to require people to sign onto a
secure server to get access to the data so they don't have to
have it on portable media to begin with. So we have really
tried very hard to provide incentives to encrypt and not to
have a hard-core requirement to encrypt on the health care
industry in order to make concessions in areas where it might
be too expensive for some health care providers or it might
slow down access to data where instantaneous access is pretty
critical.
Yet, even on portable media where you don't have the timing
issues and you don't have the cost issues, it's not happening.
We would like to see more done in this regard, whether it's in
the form of some more specific requirements or whether more
guidance about when the Office of Civil Rights expects entities
to encrypt. I think that would also be helpful.
Senator Blumenthal. And I gather from both your written
testimony and from your responses to my questions and Senator
Franken's that you would certainly not object, you might even
recommend, to many of the entities not now covered under HIPAA
also be included in these protections, both as to encryption
and any other requirements for systematic safeguarding of this
information.
Ms. McGraw. Absolutely. We wholly supported the provision
in your bill on breach notification that it include health
data. We thought that was an important advance. We have
similarly supported consumer privacy bills that are pending,
largely in the House, quite frankly, to do--provide, you know,
a more comprehensive set of privacy protections for consumer
data that of course would include health data, but also include
financial data and other personal information that people
routinely share. So we are absolutely supportive of that. This
environment, the wild, wild west for data is not an environment
of trust.
Senator Blumenthal. And not one conducive to the spread and
reliance on IT.
Ms. McGraw. That's correct.
Senator Blumenthal. Let me turn to another area that I
think is important and certainly is worth a lot more than the
two minutes I have remaining, but again I will follow up with
you. You know, as a former enforcer, I was the attorney general
of the State of Connecticut--in fact, I think the first
attorney general to enforce the HIPAA protections under HITECH
and a former U.S. Attorney--I happen to believe that these laws
are useful only to the extent they are rigorously enforced and
that they have effective penalties.
So in terms of enforcement, maybe I could ask for both of
you to make some observations about whether or not laws so far
have been effectively enforced as widely and rigorously as they
should be, and whether you think additional penalties should be
included.
Ms. Myrold. Well, Senator Blumenthal, I think that
listening to the previous two speakers I began to wonder,
what's wrong with the current enforcement provisions and why
aren't we enforcing anything under the privacy rules? Are the
facts not fitting within the context of the statute, or what's
actually--is it not a big enough case? What's really going on
there? Why aren't people encrypting? Why aren't business
associates complying?
I think a big reason is the final rules aren't here. We
don't have final rules in, what, three areas? I think people
just--they've lost credibility. People aren't taking it
seriously. Until we actually get those final rules and people,
knowing that they're going to actually be enforced, you're
probably not going to see a lot more compliance. It's a big
issue.
Senator Blumenthal. Ms. McGraw.
Ms. McGraw. I would completely--what she said.
Senator Blumenthal. So quote you.
Ms. McGraw. Ditto.
Senator Blumenthal. We need the rules.
Ms. McGraw. Yes, we need the rules. We need the rules.
Senator Blumenthal. That was part of your opening
statement.
Ms. McGraw. Yes. And I would echo something else that she
said when she talked about model policies. Like, more guidance
is always helpful to the field. I think we're always going to
have the law a little bit behind where the technology is going,
but we can refresh by, you know, periodically putting out to
the field what we expect of them rather than waiting for them
to do something that looks more like a violation.
Senator Blumenthal. Thank you.
Senator Franken. Thank you, Senator.
And I want to thank you both for your testimony and for
your work. I'm very proud of representing you, Ms. Myrold. And
thank you for your work, Ms. McGraw.
In closing, I want to thank the Ranking Member, Senator
Coburn, and I want to again thank all the witnesses that
appeared with us today.
I think there are few kinds of information more sensitive
than health information, and technology has given us this
wonderful opportunity to harness that information in a way that
will make health care easier and more effective. I just want to
make sure that we're getting all of those benefits. I think
that what Ms. McGraw is saying and what you are acting on at
HCMC is that when patients can be assured that there's privacy,
that's when this electronic health information can be put to
its fullest benefit. I think the benefits are clearly manifest.
Like I said at the start of this hearing, I do believe we
can do more to protect our information, both in terms of the
laws we have on the books, and we need regs. I think you said
``we need the regs, we need the regs, we need the regs.'' We're
the Senate. You could have just said it once. We would have
heard you.
[Laughter.]
Senator Franken. But anyway, there is work to be done here.
We will hold the record open for one week for submission of
questions for the witnesses and for other materials.
This hearing is adjourned.
[Whereupon, at 4:03 p.m. the hearing was adjourned.]
[Questions and answers and submissions for the record
follow.]
A P P E N D I X
Additional Material Submitted for the Record
[GRAPHIC] [TIFF OMITTED] T7166.001
Prepared Statements of Witnesses
[GRAPHIC] [TIFF OMITTED] T7166.002
[GRAPHIC] [TIFF OMITTED] T7166.003
[GRAPHIC] [TIFF OMITTED] T7166.004
[GRAPHIC] [TIFF OMITTED] T7166.005
[GRAPHIC] [TIFF OMITTED] T7166.006
[GRAPHIC] [TIFF OMITTED] T7166.007
[GRAPHIC] [TIFF OMITTED] T7166.008
[GRAPHIC] [TIFF OMITTED] T7166.009
[GRAPHIC] [TIFF OMITTED] T7166.010
[GRAPHIC] [TIFF OMITTED] T7166.011
[GRAPHIC] [TIFF OMITTED] T7166.012
[GRAPHIC] [TIFF OMITTED] T7166.013
[GRAPHIC] [TIFF OMITTED] T7166.014
[GRAPHIC] [TIFF OMITTED] T7166.015
[GRAPHIC] [TIFF OMITTED] T7166.016
[GRAPHIC] [TIFF OMITTED] T7166.017
[GRAPHIC] [TIFF OMITTED] T7166.018
[GRAPHIC] [TIFF OMITTED] T7166.019
[GRAPHIC] [TIFF OMITTED] T7166.020
[GRAPHIC] [TIFF OMITTED] T7166.021
[GRAPHIC] [TIFF OMITTED] T7166.022
[GRAPHIC] [TIFF OMITTED] T7166.023
[GRAPHIC] [TIFF OMITTED] T7166.024
[GRAPHIC] [TIFF OMITTED] T7166.025
[GRAPHIC] [TIFF OMITTED] T7166.026
[GRAPHIC] [TIFF OMITTED] T7166.027
[GRAPHIC] [TIFF OMITTED] T7166.028
[GRAPHIC] [TIFF OMITTED] T7166.029
[GRAPHIC] [TIFF OMITTED] T7166.030
[GRAPHIC] [TIFF OMITTED] T7166.031
[GRAPHIC] [TIFF OMITTED] T7166.032
[GRAPHIC] [TIFF OMITTED] T7166.033
[GRAPHIC] [TIFF OMITTED] T7166.034
[GRAPHIC] [TIFF OMITTED] T7166.035
[GRAPHIC] [TIFF OMITTED] T7166.036
[GRAPHIC] [TIFF OMITTED] T7166.037
[GRAPHIC] [TIFF OMITTED] T7166.038
[GRAPHIC] [TIFF OMITTED] T7166.039
[GRAPHIC] [TIFF OMITTED] T7166.040
[GRAPHIC] [TIFF OMITTED] T7166.041
[GRAPHIC] [TIFF OMITTED] T7166.042
[GRAPHIC] [TIFF OMITTED] T7166.043
[GRAPHIC] [TIFF OMITTED] T7166.044
Questions for Deven McGraw, Leon Rodriguez, and Kari Myrold Submitted
by Senator Al Franken
[GRAPHIC] [TIFF OMITTED] T7166.045
[GRAPHIC] [TIFF OMITTED] T7166.046
[GRAPHIC] [TIFF OMITTED] T7166.047
Responses of Deven McGraw to Questions Submitted by Senator Al Franken
[GRAPHIC] [TIFF OMITTED] T7166.048
[GRAPHIC] [TIFF OMITTED] T7166.049
Responses of Leon Rodriguez to Questions Submitted by Senator Al
Franken
[GRAPHIC] [TIFF OMITTED] T7166.050
[GRAPHIC] [TIFF OMITTED] T7166.051
[GRAPHIC] [TIFF OMITTED] T7166.052
[GRAPHIC] [TIFF OMITTED] T7166.053
Responses of Kari Myrold to Questions Submitted by Senator Al Franken
[GRAPHIC] [TIFF OMITTED] T7166.054
Miscellaneous Submissions for the Record
[GRAPHIC] [TIFF OMITTED] T7166.055
[GRAPHIC] [TIFF OMITTED] T7166.056
[GRAPHIC] [TIFF OMITTED] T7166.057
�
�